-After applying this patch, run these commands for a successful build:
-
- ./prepare-source
- ./configure
- make
-
-Casey Marshall writes:
+Casey Marshall wrote:
I've been hacking together a way to use rsync with OpenSSL, and have
attached my current patch against a recent CVS tree. The details of
All warnings apply; I don't do C programming all that often, so I
can't say if I've left any cleanup/compatibility errors in the code.
+To use this patch, run these commands for a successful build:
+
+ patch -p1 <patches/openssl-support.diff
+ ./prepare-source
+ ./configure
+ make
--- old/Makefile.in
+++ new/Makefile.in
extern int am_server;
extern int am_daemon;
extern int io_error;
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+extern int use_ssl;
+#endif
extern int keep_partial;
extern int log_got_error;
extern char *partial_dir;
-@@ -106,6 +109,11 @@ void _exit_cleanup(int code, const char
- SIGACTION(SIGUSR1, SIG_IGN);
- SIGACTION(SIGUSR2, SIG_IGN);
+@@ -117,6 +120,14 @@ NORETURN void _exit_cleanup(int code, co
+ code, file, line);
+ }
-+#if HAVE_OPENSSL
-+ if (use_ssl)
-+ end_tls();
++#ifdef HAVE_OPENSSL
++ /* FALLTHROUGH */
++#include "case_N.h"
++
++ if (use_ssl)
++ end_tls();
+#endif
+
- if (verbose > 3) {
- rprintf(FINFO,"_exit_cleanup(code=%d, file=%s, line=%d): entered\n",
- code, file, line);
+ /* FALLTHROUGH */
+ #include "case_N.h"
+
--- old/clientserver.c
+++ new/clientserver.c
-@@ -29,6 +29,9 @@ extern int am_sender;
+@@ -30,6 +30,9 @@ extern int am_sender;
extern int am_server;
extern int am_daemon;
extern int am_root;
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+extern int use_ssl;
+#endif
extern int rsync_port;
+ extern int ignore_errors;
extern int kluge_around_eof;
- extern int daemon_over_rsh;
-@@ -105,8 +108,18 @@ int start_socket_client(char *host, char
+@@ -107,8 +110,18 @@ int start_socket_client(char *host, char
set_socket_options(fd, sockopts);
ret = start_inband_exchange(user, path, fd, fd, argc);
+ if (ret)
+ return ret;
-+
-+#if HAVE_OPENSSL
+
+- return ret ? ret : client_run(fd, fd, -1, argc, argv);
++#ifdef HAVE_OPENSSL
+ if (use_ssl) {
+ int f_in = get_tls_rfd();
+ int f_out = get_tls_wfd();
+ return client_run(f_in, f_out, -1, argc, argv);
+ }
+#endif
-
-- return ret ? ret : client_run(fd, fd, -1, argc, argv);
++
+ return client_run(fd, fd, -1, argc, argv);
}
- int start_inband_exchange(char *user, char *path, int f_in, int f_out,
-@@ -167,6 +180,33 @@ int start_inband_exchange(char *user, ch
+ int start_inband_exchange(const char *user, char *path, int f_in, int f_out,
+@@ -169,6 +182,33 @@ int start_inband_exchange(const char *us
if (verbose > 1)
print_child_argv(sargs);
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+ if (use_ssl) {
+ io_printf(f_out, "#starttls\n");
+ while (1) {
p = strchr(path,'/');
if (p) *p = 0;
io_printf(f_out, "%s\n", path);
-@@ -195,6 +235,10 @@ int start_inband_exchange(char *user, ch
+@@ -197,6 +237,10 @@ int start_inband_exchange(const char *us
* server to terminate the listing of modules.
* We don't want to go on and transfer
* anything; just exit. */
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+ if (use_ssl)
+ end_tls();
+#endif
exit(0);
}
-@@ -202,6 +246,10 @@ int start_inband_exchange(char *user, ch
+@@ -204,6 +248,10 @@ int start_inband_exchange(const char *us
rprintf(FERROR, "%s\n", line);
/* This is always fatal; the server will now
* close the socket. */
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+ if (use_ssl)
+ end_tls();
+#endif
return -1;
}
-@@ -718,6 +766,7 @@ static void send_listing(int fd)
- io_printf(fd,"@RSYNCD: EXIT\n");
- }
-
-+
- /* this is called when a connection is established to a client
- and we want to start talking. The setup of the system is done from
- here */
-@@ -776,6 +825,9 @@ int start_daemon(int f_in, int f_out)
+@@ -785,6 +833,9 @@ int start_daemon(int f_in, int f_out)
if (protocol_version > remote_protocol)
protocol_version = remote_protocol;
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+retry:
+#endif
line[0] = 0;
if (!read_line(f_in, line, sizeof line - 1))
return -1;
-@@ -787,6 +839,20 @@ int start_daemon(int f_in, int f_out)
+@@ -796,6 +847,20 @@ int start_daemon(int f_in, int f_out)
return -1;
}
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+ if (use_ssl && strcmp(line, "#starttls") == 0) {
+ io_printf(f_out, "@RSYNCD: starttls\n");
+ if (start_tls(f_in, f_out)) {
int always_checksum = 0;
int list_only = 0;
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+int use_ssl = 0;
+char *ssl_cert_path = NULL;
+char *ssl_key_path = NULL;
#define MAX_BATCH_NAME_LEN 256 /* Must be less than MAXPATHLEN-13 */
char *batch_name = NULL;
-@@ -200,6 +208,7 @@ static void print_rsync_version(enum log
+@@ -201,6 +209,7 @@ static void print_rsync_version(enum log
char const *hardlinks = "no ";
char const *links = "no ";
char const *ipv6 = "no ";
STRUCT_STAT *dumstat;
#ifdef HAVE_SOCKETPAIR
-@@ -222,6 +231,10 @@ static void print_rsync_version(enum log
+@@ -223,6 +232,10 @@ static void print_rsync_version(enum log
ipv6 = "";
#endif
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+ ssl = "";
+#endif
+
rprintf(f, "%s version %s protocol version %d\n",
RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION);
rprintf(f, "Copyright (C) 1996-2006 by Andrew Tridgell, Wayne Davison, and others.\n");
-@@ -234,9 +247,9 @@ static void print_rsync_version(enum log
- /* Note that this field may not have type ino_t. It depends
- * on the complicated interaction between largefile feature
- * macros. */
-- rprintf(f, " %sinplace, %sIPv6, "
-+ rprintf(f, " %sinplace, %sIPv6, %sSSL, "
- "%d-bit system inums, %d-bit internal inums\n",
-- have_inplace, ipv6,
-+ have_inplace, ipv6, ssl,
- (int) (sizeof dumstat->st_ino * 8),
- (int) (sizeof (int64) * 8));
+@@ -233,8 +246,8 @@ static void print_rsync_version(enum log
+ (int)(sizeof (int64) * 8));
+ rprintf(f, " %ssocketpairs, %shardlinks, %ssymlinks, %sIPv6, batchfiles, %sinplace,\n",
+ got_socketpair, hardlinks, links, ipv6, have_inplace);
+- rprintf(f, " %sappend\n",
+- have_inplace);
++ rprintf(f, " %sappend, %sSSL\n",
++ have_inplace, ssl);
+
#ifdef MAINTAINER_MODE
-@@ -383,6 +396,13 @@ void usage(enum logcode F)
+ rprintf(f, "Panic Action: \"%s\"\n", get_panic_action());
+@@ -382,6 +395,13 @@ void usage(enum logcode F)
rprintf(F," -4, --ipv4 prefer IPv4\n");
rprintf(F," -6, --ipv6 prefer IPv6\n");
#endif
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+ rprintf(F," --ssl allow socket connections to use SSL\n");
+ rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n");
+ rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n");
rprintf(F," --version print version number\n");
rprintf(F,"(-h) --help show this help (-h works with no other options)\n");
-@@ -396,7 +416,7 @@ enum {OPT_VERSION = 1000, OPT_DAEMON, OP
+@@ -395,7 +415,7 @@ enum {OPT_VERSION = 1000, OPT_DAEMON, OP
OPT_FILTER, OPT_COMPARE_DEST, OPT_COPY_DEST, OPT_LINK_DEST, OPT_HELP,
OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, OPT_MIN_SIZE, OPT_CHMOD,
OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_ONLY_WRITE_BATCH, OPT_MAX_SIZE,
OPT_SERVER, OPT_REFUSED_BASE = 9000};
static struct poptOption long_options[] = {
-@@ -541,6 +561,13 @@ static struct poptOption long_options[]
+@@ -543,6 +563,13 @@ static struct poptOption long_options[]
{"checksum-seed", 0, POPT_ARG_INT, &checksum_seed, 0, 0, 0 },
{"server", 0, POPT_ARG_NONE, 0, OPT_SERVER, 0, 0 },
{"sender", 0, POPT_ARG_NONE, 0, OPT_SENDER, 0, 0 },
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+ {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0},
+ {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0},
+ {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0},
/* All the following options switch us into daemon-mode option-parsing. */
{"config", 0, POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 },
{"daemon", 0, POPT_ARG_NONE, 0, OPT_DAEMON, 0, 0 },
-@@ -1084,6 +1111,12 @@ int parse_arguments(int *argc, const cha
+@@ -570,6 +597,13 @@ static void daemon_usage(enum logcode F)
+ rprintf(F," -4, --ipv4 prefer IPv4\n");
+ rprintf(F," -6, --ipv6 prefer IPv6\n");
+ #endif
++#ifdef HAVE_OPENSSL
++ rprintf(F," --ssl allow socket connections to use SSL\n");
++ rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n");
++ rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n");
++ rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n");
++ rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n");
++#endif
+ rprintf(F," --help show this help screen\n");
+
+ rprintf(F,"\n");
+@@ -596,6 +630,13 @@ static struct poptOption long_daemon_opt
+ {"protocol", 0, POPT_ARG_INT, &protocol_version, 0, 0, 0 },
+ {"server", 0, POPT_ARG_NONE, &am_server, 0, 0, 0 },
+ {"temp-dir", 'T', POPT_ARG_STRING, &tmpdir, 0, 0, 0 },
++#ifdef HAVE_OPENSSL
++ {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0},
++ {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0},
++ {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0},
++ {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0},
++ {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0},
++#endif
+ {"verbose", 'v', POPT_ARG_NONE, 0, 'v', 0, 0 },
+ {"no-verbose", 0, POPT_ARG_VAL, &verbose, 0, 0, 0 },
+ {"no-v", 0, POPT_ARG_VAL, &verbose, 0, 0, 0 },
+@@ -855,6 +896,12 @@ int parse_arguments(int *argc, const cha
+ verbose++;
+ break;
+
++#ifdef HAVE_OPENSSL
++ case OPT_USE_SSL:
++ use_ssl = 1;
++ break;
++#endif
++
+ default:
+ rprintf(FERROR,
+ "rsync: %s: %s (in daemon mode)\n",
+@@ -878,6 +925,17 @@ int parse_arguments(int *argc, const cha
+ exit_cleanup(RERR_SYNTAX);
+ }
+
++#ifdef HAVE_OPENSSL
++ if (use_ssl) {
++ if (init_tls()) {
++ snprintf(err_buf, sizeof(err_buf),
++ "Openssl error: %s\n",
++ get_ssl_error());
++ return 0;
++ }
++ }
++#endif
++
+ *argv = poptGetArgs(pc);
+ *argc = count_args(*argv);
+ am_starting_up = 0;
+@@ -1093,6 +1151,12 @@ int parse_arguments(int *argc, const cha
usage(FINFO);
exit_cleanup(0);
++#ifdef HAVE_OPENSSL
+ case OPT_USE_SSL:
-+#if HAVE_OPENSSL
+ use_ssl = 1;
-+#endif
+ break;
++#endif
+
default:
/* A large opt value means that set_refuse_options()
* turned this option off. */
-@@ -1364,6 +1397,17 @@ int parse_arguments(int *argc, const cha
+@@ -1371,6 +1435,17 @@ int parse_arguments(int *argc, const cha
if (delay_updates && !partial_dir)
partial_dir = tmp_partialdir;
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+ if (use_ssl) {
+ if (init_tls()) {
+ snprintf(err_buf, sizeof(err_buf),
if (inplace) {
#ifdef HAVE_FTRUNCATE
if (partial_dir) {
-@@ -1781,10 +1825,27 @@ char *check_for_hostspec(char *s, char *
+@@ -1798,10 +1873,27 @@ char *check_for_hostspec(char *s, char *
char *p;
int not_host;
int hostlen;
+ if (!port_ptr)
+ url_prefix_len = 0;
+ else if (strncasecmp(URL_PREFIX, s, url_prefix_len) != 0) {
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+ url_prefix_len = sizeof SSL_URL_PREFIX - 1;
+ if (strncasecmp(SSL_URL_PREFIX, s, url_prefix_len) != 0)
+ url_prefix_len = 0;
#define BACKUP_SUFFIX "~"
-@@ -419,6 +420,11 @@ enum msgcode {
+@@ -473,6 +474,11 @@ enum msgcode {
# define SIZEOF_INT64 SIZEOF_OFF_T
#endif
-+#if HAVE_OPENSSL
++#ifdef HAVE_OPENSSL
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#endif
* allow files to have 64-bit inums. That's because the
--- old/ssl.c
+++ new/ssl.c
-@@ -0,0 +1,366 @@
+@@ -0,0 +1,370 @@
+/* -*- c-file-style: "linux" -*-
+ * ssl.c: operations for negotiating SSL rsync connections.
+ *
+
+#include "rsync.h"
+
-+#if HAVE_SYS_SELECT_H
++#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#else
+#include <sys/time.h>
+static int ssl_running;
+static int ssl_pid = -1;
+
++#ifdef HAVE_SIGACTION
++static struct sigaction sigact;
++#endif
++
+/**
+ * A non-interactive callback to be passed to SSL_CTX_set_default_password_cb,
+ * which merely copies the value of ssl_key_passwd into buf. This is
+ return 0;
+ }
+
-+ signal(SIGUSR1, tls_sigusr1);
++ SIGACTION(SIGUSR1, tls_sigusr1);
+ ssl = SSL_new(ssl_ctx);
+ if (!ssl)
+ goto closed;
Matt McCutchen's Web Site / rsync / rsync-patches.git / blobdiff